Merge pull request #303745 from quantenzitrone/ydotool

ydotool: refactor ; nixos/ydotool: init module & nixosTest
2024-10-06 04:27:27 +03:00 · 2024-05-13 15:49:49 +02:00 · 2024-05-13 15:49:49 +02:00 · 068c0e3c95
commit 068c0e3c95
parent 693abb01bc 8621da969e
7 changed files with 230 additions and 12 deletions
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@ -209,6 +209,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m

 - [isolate](https://github.com/ioi/isolate), a sandbox for securely executing untrusted programs. Available as [security.isolate](#opt-security.isolate.enable).

+- [ydotool](https://github.com/ReimuNotMoe/ydotool), a generic command-line automation tool now has a module. Available as [programs.ydotool](#opt-programs.ydotool.enable).
+
 - [private-gpt](https://github.com/zylon-ai/private-gpt), a service to interact with your documents using the power of LLMs, 100% privately, no data leaks. Available as [services.private-gpt](#opt-services.private-gpt.enable).

 - [keto](https://www.ory.sh/keto/), a permission & access control server, the first open source implementation of ["Zanzibar: Google's Consistent, Global Authorization System"](https://research.google/pubs/zanzibar-googles-consistent-global-authorization-system/).
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -308,6 +308,7 @@
  ./programs/xwayland.nix
  ./programs/yabar.nix
  ./programs/yazi.nix
+  ./programs/ydotool.nix
  ./programs/yubikey-touch-detector.nix
  ./programs/zmap.nix
  ./programs/zsh/oh-my-zsh.nix
--- a/nixos/modules/programs/ydotool.nix
+++ b/nixos/modules/programs/ydotool.nix
@ -0,0 +1,83 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.programs.ydotool;
+in
+{
+  meta = {
+    maintainers = with lib.maintainers; [ quantenzitrone ];
+  };
+
+  options.programs.ydotool = {
+    enable = lib.mkEnableOption ''
+      ydotoold system service and install ydotool.
+      Add yourself to the 'ydotool' group to be able to use it.
+    '';
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.groups.ydotool = { };
+
+    systemd.services.ydotoold = {
+      description = "ydotoold - backend for ydotool";
+      wantedBy = [ "multi-user.target" ];
+      partOf = [ "multi-user.target" ];
+      serviceConfig = {
+        Group = "ydotool";
+        RuntimeDirectory = "ydotoold";
+        RuntimeDirectoryMode = "0750";
+        ExecStart = "${lib.getExe' pkgs.ydotool "ydotoold"} --socket-path=/run/ydotoold/socket --socket-perm=0660";
+
+        # hardening
+
+        ## allow access to uinput
+        DeviceAllow = [ "/dev/uinput" ];
+        DevicePolicy = "closed";
+
+        ## allow creation of unix sockets
+        RestrictAddressFamilies = [ "AF_UNIX" ];
+
+        CapabilityBoundingSet = "";
+        IPAddressDeny = "any";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateNetwork = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        ProtectUser = true;
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+          "~@resources"
+        ];
+        UMask = "0077";
+
+        # -> systemd-analyze security score 0.7 SAFE 😀
+      };
+    };
+
+    environment.variables = {
+      YDOTOOL_SOCKET = "/run/ydotoold/socket";
+    };
+    environment.systemPackages = with pkgs; [ ydotool ];
+  };
+}
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -1040,6 +1040,7 @@ in {
  xterm = handleTest ./xterm.nix {};
  xxh = handleTest ./xxh.nix {};
  yabar = handleTest ./yabar.nix {};
+  ydotool = handleTest ./ydotool.nix {};
  yggdrasil = handleTest ./yggdrasil.nix {};
  zammad = handleTest ./zammad.nix {};
  zeronet-conservancy = handleTest ./zeronet-conservancy.nix {};
--- a/nixos/tests/ydotool.nix
+++ b/nixos/tests/ydotool.nix
@ -0,0 +1,115 @@
+import ./make-test-python.nix (
+  { pkgs, lib, ... }:
+  let
+    textInput = "This works.";
+    inputBoxText = "Enter input";
+    inputBox = pkgs.writeShellScript "zenity-input" ''
+      ${lib.getExe pkgs.gnome.zenity} --entry --text '${inputBoxText}:' > /tmp/output &
+    '';
+  in
+  {
+    name = "ydotool";
+
+    meta = {
+      maintainers = with lib.maintainers; [
+        OPNA2608
+        quantenzitrone
+      ];
+    };
+
+    nodes = {
+      headless =
+        { config, ... }:
+        {
+          imports = [ ./common/user-account.nix ];
+
+          users.users.alice.extraGroups = [ "ydotool" ];
+
+          programs.ydotool.enable = true;
+
+          services.getty.autologinUser = "alice";
+        };
+
+      x11 =
+        { config, ... }:
+        {
+          imports = [
+            ./common/user-account.nix
+            ./common/auto.nix
+            ./common/x11.nix
+          ];
+
+          users.users.alice.extraGroups = [ "ydotool" ];
+
+          programs.ydotool.enable = true;
+
+          test-support.displayManager.auto = {
+            enable = true;
+            user = "alice";
+          };
+
+          services.xserver.windowManager.dwm.enable = true;
+          services.displayManager.defaultSession = lib.mkForce "none+dwm";
+        };
+
+      wayland =
+        { config, ... }:
+        {
+          imports = [ ./common/user-account.nix ];
+
+          services.cage = {
+            enable = true;
+            user = "alice";
+          };
+
+          programs.ydotool.enable = true;
+
+          services.cage.program = inputBox;
+        };
+    };
+
+    enableOCR = true;
+
+    testScript =
+      { nodes, ... }:
+      ''
+        def as_user(cmd: str):
+          """
+          Return a shell command for running a shell command as a specific user.
+          """
+          return f"sudo -u alice -i {cmd}"
+
+        start_all()
+
+        # Headless
+        headless.wait_for_unit("multi-user.target")
+        headless.wait_for_text("alice")
+        headless.succeed(as_user("ydotool type 'echo ${textInput} > /tmp/output'")) # text input
+        headless.succeed(as_user("ydotool key 28:1 28:0")) # text input
+        headless.screenshot("headless_input")
+        headless.wait_for_file("/tmp/output")
+        headless.wait_until_succeeds("grep '${textInput}' /tmp/output") # text input
+
+        # X11
+        x11.wait_for_x()
+        x11.execute(as_user("${inputBox}"))
+        x11.wait_for_text("${inputBoxText}")
+        x11.succeed(as_user("ydotool type '${textInput}'")) # text input
+        x11.screenshot("x11_input")
+        x11.succeed(as_user("ydotool mousemove -a 400 110")) # mouse input
+        x11.succeed(as_user("ydotool click 0xC0")) # mouse input
+        x11.wait_for_file("/tmp/output")
+        x11.wait_until_succeeds("grep '${textInput}' /tmp/output") # text input
+
+        # Wayland
+        wayland.wait_for_unit("graphical.target")
+        wayland.wait_for_text("${inputBoxText}")
+        wayland.succeed("ydotool type '${textInput}'") # text input
+        wayland.screenshot("wayland_input")
+        wayland.succeed("ydotool mousemove -a 100 100") # mouse input
+        wayland.succeed("ydotool click 0xC0") # mouse input
+        wayland.wait_for_file("/tmp/output")
+        wayland.wait_until_succeeds("grep '${textInput}' /tmp/output") # text input
+      '';
+  }
+)
--- a/pkgs/tools/wayland/ydotool/default.nix
+++ b/pkgs/tools/wayland/ydotool/default.nix
@ -1,13 +1,22 @@
-{ lib, stdenv, fetchFromGitHub, cmake, scdoc, util-linux, xorg }:
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+  cmake,
+  scdoc,
+  util-linux,
+  xorg,
+  nixosTests,
+}:

-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
  pname = "ydotool";
  version = "1.0.4";

  src = fetchFromGitHub {
    owner = "ReimuNotMoe";
    repo = "ydotool";
-    rev = "v${version}";
+    rev = "v${finalAttrs.version}";
    hash = "sha256-MtanR+cxz6FsbNBngqLE+ITKPZFHmWGsD1mBDk0OVng=";
  };

@ -19,13 +28,22 @@ stdenv.mkDerivation rec {
  '';

  strictDeps = true;
-  nativeBuildInputs = [ cmake scdoc ];
+  nativeBuildInputs = [
+    cmake
+    scdoc
+  ];

-  meta = with lib; {
-    homepage = "https://github.com/ReimuNotMoe/ydotool";
+  passthru.tests.basic = nixosTests.ydotool;
+
+  meta = {
    description = "Generic Linux command-line automation tool";
-    license = licenses.agpl3Plus;
-    maintainers = with maintainers; [ willibutz kraem ];
-    platforms = with platforms; linux;
+    homepage = "https://github.com/ReimuNotMoe/ydotool";
+    license = lib.licenses.agpl3Plus;
+    mainProgram = "ydotool";
+    maintainers = with lib.maintainers; [
+      willibutz
+      kraem
+    ];
+    platforms = lib.platforms.linux;
  };
-}
+})
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -4765,8 +4765,6 @@ with pkgs;

  wtype = callPackage ../tools/wayland/wtype { };

-  ydotool = callPackage ../tools/wayland/ydotool { };
-
  cambalache = callPackage ../development/tools/cambalache { };

  cambrinary = python3Packages.callPackage ../applications/misc/cambrinary { };